LiveQuery protected field leak via shared mutable state across concurrent subscribers
- Severity:
- High
Description
When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber’s filter removes a protected field, subsequent subscribers may receive the already-filtered object.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.65 >= 9.0.0, < 9.7.0-alpha.9** Patched version(s): **8.6.65 9.7.0-alpha.9**
References
Related Issues
- Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance - CVE-2026-32242
- Parse Server has a protected field change detection oracle via LiveQuery watch parameter - CVE-2026-33429
- Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
- Parse Server leaks protected fields via LiveQuery afterEvent trigger - CVE-2026-33163
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 31, 2026